[teiid-commits] teiid SVN: r3543 - in branches/7.4.x: documentation/admin-guide/src/main/docbook/en-US/content and 2 other directories.
teiid-commits at lists.jboss.org
teiid-commits at lists.jboss.org
Fri Oct 7 11:25:46 EDT 2011
Author: rareddy
Date: 2011-10-07 11:25:46 -0400 (Fri, 07 Oct 2011)
New Revision: 3543
Modified:
branches/7.4.x/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml
branches/7.4.x/documentation/admin-guide/src/main/docbook/en-US/content/security.xml
branches/7.4.x/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java
branches/7.4.x/runtime/src/test/java/org/teiid/transport/TestCommSockets.java
Log:
SOA-3448: allowing the ability to configure cipher suites for selecting encryption strength. Also has documentation for the LDAP configuration.
Modified: branches/7.4.x/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml
===================================================================
--- branches/7.4.x/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml 2011-10-07 14:49:25 UTC (rev 3542)
+++ branches/7.4.x/build/kits/jboss-container/deploy/teiid/teiid-jboss-beans.xml 2011-10-07 15:25:46 UTC (rev 3543)
@@ -221,6 +221,9 @@
<property name="truststorePassword">passwd</property>
<!-- 1-way, 2-way, anonymous -->
<property name="authenticationMode">anonymous</property>
+ <!-- uncomment for enforcing the minimum 128 bit encryption, edit or supply only supported cipher suites from JVM
+ <property name="enabledCipherSuites">SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_KRB5_WITH_RC4_128_MD5,TLS_KRB5_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_MD5,TLS_KRB5_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA</property>
+ -->
</bean>
<!-- JDBC Socket connection properties (SSL see below) -->
Modified: branches/7.4.x/documentation/admin-guide/src/main/docbook/en-US/content/security.xml
===================================================================
--- branches/7.4.x/documentation/admin-guide/src/main/docbook/en-US/content/security.xml 2011-10-07 14:49:25 UTC (rev 3542)
+++ branches/7.4.x/documentation/admin-guide/src/main/docbook/en-US/content/security.xml 2011-10-07 15:25:46 UTC (rev 3543)
@@ -84,23 +84,106 @@
The default name of JDBC connection's security-domain is "teiid-security". The default name for Admin connection
is "jmx-console". For the Admin connection's security domain, the user is allowed
to change which LoginModule that "jmx-console" pointing to, however should not change the name of the domain, as this name is
- shared between the "admin-console" application.</para>
+ shared between the "admin-console" application. In existing installations an appropriate security
+ domain may already be configured for use by administrative clients (typically "jmx-console").
+ In this case it may be perfectly valid to reuse this existing security domain instead of
+ creating a new teiid-security security domain.</para>
</note>
<section>
<title>Built-in LoginModules</title>
- <para>JBossAS provides several LoginModules for common authentication needs, such as authenticating from text files or LDAP.</para>
- <para>The UsersRolesLoginModule, which utilizes simple text files
- to authenticate users and to define
- their groups. The teiid-jboss-beans.xml configuration file contains an example of how to use UsersRolesLoginModule.
- Note that this is typically not for production use and is strongly recommended that you replace this login module. Please
- also note that, you can install multiple login modules as part of single security domain configuration and configure them
- to part of login process. For example, for "teiid-security" domain, you can configure a file based and also LDAP based login modules,
- and have your user authenticated with either both or single login module.
+ <para>JBossAS provides several LoginModules for common authentication needs, such as authenticating from a
+ <xref linkend="text-login"/> or a <xref linkend="ldap-login"/>.</para>
+ <para>You can install multiple login modules as part of single security domain configuration and configure them
+ to part of login process. For example, for "teiid-security" domain, you can configure a file based
+ and also LDAP based login modules,
+ and have your user authenticated with either or both login modules. If you want to write your own
+ custom login module, check out the Developer's Guide for instructions.
</para>
- <para>See <ulink url="http://community.jboss.org/docs/DOC-11253">LDAP LoginModule configuration</ulink> for utilizing LDAP based authentication.
- If you want write your own Custom Login module, check out the Developer's Guide for instructions.
- </para>
+
+ <section id="text-login">
+ <title>Text Based LoginModule</title>
+ <para>
+ The UsersRolesLoginModule utilizes simple text files to authenticate users and to define their groups.
+ The teiid-jboss-beans.xml configuration file contains an example of how to use UsersRolesLoginModule.
+ <note>
+ <para>The UsersRolesLoginModule is not recommended for production use and is strongly recommended that you replace this login module.</para>
+ </note>
+ </para>
+ <para>User
+ names and passwords are stored in the <profile>conf/props/teiid-security-users.properties file.
+ <example>
+ <title>Example user.properties file</title>
+ <programlisting><![CDATA[# A users.properties file for use with the UsersRolesLoginModule
+ # username=password
+
+ fred=password
+ george=password
+ ...]]></programlisting>
+ </example>
+
+ JAAS role assignments are stored in the <profile>conf/props/teiid-security-roles.properties file.
+ <example>
+ <title>Example user.properties file</title>
+ <programlisting><![CDATA[# A roles.properties file for use with the UsersRolesLoginModule
+ # username=role1,role2,...
+
+ data_role_1=fred,sally
+ data_role_2=george
+ ]]></programlisting>
+ </example>
+
+ User and role names are entirely up to the needs of the given deployment. For example each application team can set their own security constraints for their VDBs, by mapping their VDB data roles to application specific JAAS roles, e.g. app_role_1=user1,user2,user3.
+ <note>
+ <para>Teiid data roles names are independent of JAAS roles. VDB creators can choose whatever name they want for their data roles, which are then mapped at deployment time to JAAS roles.</para>
+ </note>
+ </para>
+ </section>
+ <section id="ldap-login">
+ <title>LDAP Based LoginModule</title>
+ <para>
+ See
+ <ulink url="http://community.jboss.org/docs/DOC-11253">LDAP LoginModule configuration</ulink>
+ for the AS community guide. The following are streamlined installation instruction.
+ <orderedlist>
+ <listitem>
+ <para>If using SSL to the LDAP server, ensure that the Corporate CA Certificate is added to the JRE trust store.</para>
+ </listitem>
+
+ <listitem>
+ <para>Include LDAP LoginModule in the JAAS Configuration</para>
+ <para>Configure
+ LDAP authentication by editing <profile>conf/login-config.xml. If you wish to configure specifically for teiid, then the security domain teiid-security will need to be created/altered.
+ In new installations the more likely option is that you want to configure LDAP based authentication for the AS itself by modifying the "jmx-console" security domain.
+ You could do one of the following for Teiid:
+ <itemizedlist>
+ <listitem>
+ <para>Reuse the jmx-console (or whatever name you choose) security domain for Teiid by changing the teiid configuration in <profile>/deploy/teiid/teiid-jboss-beans.xml
+ to point to jmx-console, rather than teiid-security.
+ </para>
+ </listitem>
+ <listitem>
+ <para>Follow the same steps to configure an LDAP security domain named teiid-security.
+ </para>
+ </listitem>
+ <listitem>
+ <para>Leave Teiid to use the default file based LoginModule secuirty domain or create an entirely custom security domain configuration.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ <listitem>
+ <para>Obscure the LDAP Password</para>
+ <para>
+ Finally, protect the password following
+ <ulink url="http://docs.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/Using_LdapExtLoginModule_with_JaasSecurityDomain.html">these instructions.</ulink>
+ Note that the salt must be 8 chars andd see also http://community.jboss.org/message/137756#137756 for more on securing passwords.
+ </para>
+ </listitem>
+ </orderedlist>
+ </para>
+ </section>
</section>
<section>
@@ -250,6 +333,8 @@
<property name="truststorePassword">passwd</property>
<!-- 1-way, 2-way, anonymous -->
<property name="authenticationMode">1-way</property>
+ <!-- an optional property to constrain the cipher suites to be negotiated between server and client -->
+ <property name="enabledCipherSuites">SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA</property>
</bean>]]></programlisting>
</example>
<itemizedlist>
@@ -270,6 +355,7 @@
public key for the client. Depending upon how you created the keystore and truststores,
this may be same file as defined under "keystoreFilename" property.</para></listitem>
<listitem><para>truststorePassword - password for the truststore. </para></listitem>
+ <listitem><para>enabledCipherSuites - A comma separated list of cipher suites allowed for encryption between server and client. The values must be valid supported cipher suites otherwise SSL connections will fail.</para></listitem>
</itemizedlist>
<section id="ssl_auth">
<title>SSL Authentication Modes</title>
@@ -291,8 +377,9 @@
</section>
<section id="encryption_strength">
<title>Encryption Strength</title>
- <para>Both anonymous SSL and login only encryption are configured to use 128 bit AES encryption.
- 1-way and 2-way SSL allow for cipher suite negotiation based upon the default cipher suites supported by the respective Java platforms of the client and server.
+ <para>Both anonymous SSL and login only encryption are configured to use 128 bit AES encryption by default. By default,
+ 1-way and 2-way SSL allow for cipher suite negotiation based upon the default cipher suites supported by the respective Java platforms of the client and server.
+ User can restrict the cipher suites used for encryption by specifying the <emphasis>enabledCipherSuites</emphasis> property above in ssl configuration.
</para>
</section>
</section>
Modified: branches/7.4.x/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java
===================================================================
--- branches/7.4.x/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java 2011-10-07 14:49:25 UTC (rev 3542)
+++ branches/7.4.x/runtime/src/main/java/org/teiid/transport/SSLConfiguration.java 2011-10-07 15:25:46 UTC (rev 3543)
@@ -59,8 +59,10 @@
private String trustStoreFileName;
private String trustStorePassword = ""; //$NON-NLS-1$
private String authenticationMode = ONEWAY;
+ private String[] enabledCipherSuites;
- public SSLEngine getServerSSLEngine() throws IOException, GeneralSecurityException {
+
+ public SSLEngine getServerSSLEngine() throws IOException, GeneralSecurityException {
if (!isSslEnabled()) {
return null;
}
@@ -86,10 +88,13 @@
if (!(Arrays.asList(result.getSupportedCipherSuites()).contains(SocketUtil.ANON_CIPHER_SUITE))) {
throw new GeneralSecurityException(RuntimePlugin.Util.getString("SSLConfiguration.no_anonymous")); //$NON-NLS-1$
}
- result.setEnabledCipherSuites(new String[] {
- SocketUtil.ANON_CIPHER_SUITE
- });
- }
+ result.setEnabledCipherSuites(new String[] {SocketUtil.ANON_CIPHER_SUITE});
+ } else {
+ if (this.enabledCipherSuites != null) {
+ result.setEnabledCipherSuites(this.enabledCipherSuites);
+ }
+ }
+
result.setNeedClientAuth(TWOWAY.equals(authenticationMode));
return result;
}
@@ -142,4 +147,11 @@
this.authenticationMode = value;
}
+ public void setEnabledCipherSuites(String enabledCipherSuites) {
+ this.enabledCipherSuites = enabledCipherSuites.split(","); //$NON-NLS-1$
+ }
+
+ public String[] getEnabledCipherSuites() {
+ return enabledCipherSuites;
+ }
}
Modified: branches/7.4.x/runtime/src/test/java/org/teiid/transport/TestCommSockets.java
===================================================================
--- branches/7.4.x/runtime/src/test/java/org/teiid/transport/TestCommSockets.java 2011-10-07 14:49:25 UTC (rev 3542)
+++ branches/7.4.x/runtime/src/test/java/org/teiid/transport/TestCommSockets.java 2011-10-07 15:25:46 UTC (rev 3543)
@@ -217,6 +217,7 @@
@Test public void testAnonSSLConnect() throws Exception {
SSLConfiguration config = new SSLConfiguration();
config.setMode(SSLConfiguration.ENABLED);
+ config.setEnabledCipherSuites("x"); //ensure that this cipher suite is not used
config.setAuthenticationMode(SSLConfiguration.ANONYMOUS);
Properties p = new Properties();
p.setProperty("org.teiid.sockets.soTimeout", "100");
@@ -255,4 +256,10 @@
conn.close();
}
+ @Test public void testEnableCipherSuites() throws Exception {
+ SSLConfiguration config = new SSLConfiguration();
+ config.setEnabledCipherSuites("x,y,z");
+ assertArrayEquals(new String[] {"x","y","z"}, config.getEnabledCipherSuites());
+ }
+
}
More information about the teiid-commits
mailing list